mirror of
https://github.com/home-assistant/iOS.git
synced 2026-04-12 05:08:23 -05:00
92214b873d
<!-- Thank you for submitting a Pull Request and helping to improve Home Assistant. Please complete the following sections to help the processing and review of your changes. Please do not delete anything from this template. --> ## Summary <!-- Provide a brief summary of the changes you have made and most importantly what they aim to achieve --> Remove the portWithFallback helper and update port comparisons to use URL.port directly. baseIsEqual now compares ports via url.port (no 80/443 fallback), and SafeScriptMessageHandler passes url.port ?? 0 when building origin keys (security origin uses port 0 when unspecified). This simplifies port handling and avoids implicit defaulting to standard ports. ## Screenshots <!-- If this is a user-facing change not in the frontend, please include screenshots in light and dark mode. --> ## Link to pull request in Documentation repository <!-- Pull requests that add, change or remove functionality must have a corresponding pull request in the Companion App Documentation repository (https://github.com/home-assistant/companion.home-assistant). Please add the number of this pull request after the "#" --> Documentation: home-assistant/companion.home-assistant# ## Any other notes <!-- If there is any other information of note, like if this Pull Request is part of a bigger change, please include it here. -->
67 lines
2.6 KiB
Swift
67 lines
2.6 KiB
Swift
@testable import HomeAssistant
|
|
import Shared
|
|
import Testing
|
|
import WebKit
|
|
|
|
struct SafeScriptMessageHandlerTests {
|
|
@Test func allowsMainFrameMessageFromConfiguredServerOrigin() {
|
|
ServerFixture.reset()
|
|
let handler = SafeScriptMessageHandler(
|
|
server: ServerFixture.withRemoteConnection,
|
|
delegate: NoOpScriptMessageHandler()
|
|
)
|
|
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "https", host: "external.example.com", port: 443))
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "http", host: "internal.example.com", port: 80))
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "https", host: "ui.nabu.casa", port: 443))
|
|
}
|
|
|
|
@Test func allowsMainFrameMessageWhenImplicitPortsAreReportedAsZero() {
|
|
ServerFixture.reset()
|
|
let handler = SafeScriptMessageHandler(
|
|
server: ServerFixture.withRemoteConnection,
|
|
delegate: NoOpScriptMessageHandler()
|
|
)
|
|
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "https", host: "external.example.com", port: 0))
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "http", host: "internal.example.com", port: 0))
|
|
#expect(handler.shouldAllowMessage(isMainFrame: true, scheme: "https", host: "ui.nabu.casa", port: 0))
|
|
}
|
|
|
|
@Test func rejectsMessageFromOriginOutsideConfiguredServerOrigins() {
|
|
ServerFixture.reset()
|
|
let handler = SafeScriptMessageHandler(
|
|
server: ServerFixture.withRemoteConnection,
|
|
delegate: NoOpScriptMessageHandler()
|
|
)
|
|
|
|
#expect(!handler.shouldAllowMessage(isMainFrame: true, scheme: "https", host: "evil.example.com", port: 443))
|
|
#expect(!handler.shouldAllowMessage(
|
|
isMainFrame: true,
|
|
scheme: "https",
|
|
host: "external.example.com",
|
|
port: 8123
|
|
))
|
|
#expect(!handler.shouldAllowMessage(isMainFrame: true, scheme: "http", host: "external.example.com", port: 443))
|
|
}
|
|
|
|
@Test func rejectsIframeMessageEvenWhenHostIsAllowed() {
|
|
ServerFixture.reset()
|
|
let handler = SafeScriptMessageHandler(
|
|
server: ServerFixture.withRemoteConnection,
|
|
delegate: NoOpScriptMessageHandler()
|
|
)
|
|
|
|
#expect(!handler.shouldAllowMessage(
|
|
isMainFrame: false,
|
|
scheme: "https",
|
|
host: "external.example.com",
|
|
port: 443
|
|
))
|
|
}
|
|
}
|
|
|
|
private final class NoOpScriptMessageHandler: NSObject, WKScriptMessageHandler {
|
|
func userContentController(_ userContentController: WKUserContentController, didReceive message: WKScriptMessage) {}
|
|
}
|